MalwareRansomware

Lyrix

Lyrix is a ransomware strain described as a new Python-based ransomware spotted in the wild. Reporting places it among the many short-lived ransomware families that emerged in 2025, a fragmented ecosystem characterized by rapid rebranding, shared tooling and infrastructure, and operational adaptation rather than major technical innovation. In that broader context, groups associated with families such as Lyrix commonly relied on identity-based compromise for initial access, including stolen VPN credentials, MFA fatigue, session token hijacking, OAuth abuse, phishing, SaaS abuse, and exploitation of cloud/SaaS misconfigurations. The surrounding reporting also indicates that many such operations used lightweight, minimally obfuscated malware, often in RaaS-style extortion campaigns, with data theft and extortion sometimes replacing or preceding encryption. Lyrix is also referenced in discussion of groups experimenting with AI-themed branding, hybrid hacktivist narratives, and sector targeting. High-confidence details specific to Lyrix in the provided content are limited to its identification as a ransomware strain, its Python-based implementation, and its emergence in 2025.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyberthroneNews

Dec 31, 2025

New Ransomware Emerged in 2025 – Threat Intel Report

A ransomware family from 2025, using phishing and SaaS abuse for initial access and experimenting with sector targeting.

risky biz rssNews

May 30, 2025

Risky Bulletin: Windows Update will soon deliver individual app updates

Python-based ransomware that encrypts files and demands payment for decryption.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.